Symantec AppStream and Workspace Streaming vulnerable to arbitrary code download and execution
|
D-SWAT
A vulnerability has been reported in Symantec AppStream and Symantec Workspace Streaming, which could potentially lead to unauthorized download of arbitrary code to a client system.
CERT identified a weakness in the Symantec Workspace Streaming application (formerly Symantec AppStream). The Symantec Workspace Streaming client does not properly authenticate with the server prior to downloading available files hosted on the server.
The Symantec Workspace Streaming client is configured to handle the "aswe" protocol. By processing an "aswe://" URI, the Symantec Workspace Streaming client will download and execute applications from the specified Workspace Streaming server. The Symantec Workspace Streaming client and prior variants fail to properly authenticate with the server component of the software.
The vulnerability is reported in Symantec AppStream 5.2.x and Symantec Workspace Streaming 6.1.x prior to 6.1 SP4.
Solution:
Apply the appropriate patch for your system. This issue is addressed in Symantec Workspace Streaming 6.1 SP4. Please see Symantec Advisory SYM10-008 for more details.
References:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100616_00
http://www.kb.cert.org/vuls/id/221257
|
The information from Draytek Corp.
About DrayTek
DrayTek Corp., founded in 1997, is a global provider
of comprehensive network security, remote access
and VoIP solutions for residential/small office
and Small and Medium Enterprises(SME) use. To
meet the needs of customers for quality and cost-effectiveness,
DrayTek, with technologies integrated with real-time
Anti-Virus/Anti-Intrusion system, VPN, VoIP and
xDSL broadband access, has successfully delivered
total network protection worldwide. For more information,
please visit the company's website at http://www.draytek.com.
Press Contact:
DrayTek Marketing Dept.
press@draytek.com |
